Progress report on Nokia Lumia 800 interop unlock research (Part 2)
Continued efforts to bring interop capabilities to my Nokia Lumia 800 (who doesn’t like full native OS access anyway?) led me to an idea that might’ve worked (but apparently doesn’t at this moment). There are a couple of applications available through the Zune Marketplace as a part of the Nokia Collection that access ID_CAP_INTEROPSERVICES.
My thought was that eventually I hit a HTTP request for the application XAP, and that might be one of the vectors where I can push my XAP instead, directly from the local computer. As an example, I took the Contacts Transfer application. With a little bit of Wireshark and Fiddler work, I noticed that the URL was something like this:
http://apps-p.marketplace.windowsphone.com/APPLICATION_GUID/THE_XAP_I_WANT.xap
Simple enough, I opened Fiddler and created an AutoResponse rule (thanks to Pedro Lamas for the suggestion) that will fetch a local XAP when the above mentioned request is detected:
My phone was connected to an ad-hoc network through the Fiddler proxy – that way, I can intercept and modify the traffic that goes through it.
I must say, that Windows Phone picks up the local file and downloads it (as per the specified rule). The problem comes when I am trying to install it. Every XAP package that comes from the Marketplace is signed and contains a WMAppPRHeader.xml – a file that is considered the package “digital stamp.” It contains the checksum, against which the package is being verified during installation. If the checksum does not match the content, the package will not be installed.
I thought that a factor in package verification is the size, since it is mentioned in the XAP marketplace manifest:
I created a size-identical copy of the original XAP package (fsutil file createnew PATH SIZE) and tried to push it to the device. No luck here either – size might be one of the factors, but general contents of the package also come as a part of the requirements.
Still looking at this method, though.
12 Comments
Adam Walker said
Could you not just regenerate the checksum and reinject it into the xap (in the WMAppPRHeader file)?
Lumia_freak said
lots of people out there would love to get an unlock for their lumia 800 phones!
thx a lot for your work!!!
keep goin!
greez
90Nibiru said
Good job! i'm waiting
GeBoe said
Hey, the Network setup app for lumia has just been launched!!! Use it!!
VILIC said
I tried this way today and failed, too. I've no idea if you have noticed the data appended to the xap(zip) file. And before it starts download, it use https to visit a Zune site, and may get some signature information. And the xap download url has two parameters, which I think may be got from the https conversation. I consider the key the data appended to the xap file. Maybe much more effort is needed to fake it.
Adam Walker said
Ah ok, so it isn't just a SHA/MD5 of the package and request to get it?
I assume that it would be as thats a pretty common way of authenticating. Shame :(
I guess the network setup app is the way to go!
Fernando said
Is it posible interop unlock for nokia in the future?
Alex said
Maybe this can help.
KID in DRM file is base64 version of mediaInstanceId guid.
http://catalog.zune.net/v3.2/en-US/apps/eb4c6c3c-549c-e011-986b-78e7d1fa76f8/?version=latest&clientType=WinMobile%207.1&store=Zest
xSacha said
OK I can see you tried what I mentioned in Part 1.
Now, you just need to resign. Look at how 3Mrktplace does this for cracked apps. It should be the same method.
Den Delimarsky said
Just an FYI to everybody - nothing beyond the legal limits will be done. This means no DRM removal or tampering with Zune services.
raaaa said
Silly question but is your phone dev-unlocked? I mean, on a dev-unlocked device you should be able to deploy a XAP that has not been signed by the marketplace.
Chitrarth said
http://forum.xda-developers.com/showthread.php?t=1587650&page=1
Take a look here, after injecting some files it may be possible to install a custom firmware or interop our lumia..